solvers: equality and arrays lecture 4 2012
DESCRIPTION
Solvers: Equality and Arrays Lecture 4 2012. Nikolaj Bjørner Microsoft Research DTU Winter course January 5 th 2012. Plan. The theory of Un-interpreted functions The Theory of Arrays. Key Takeaways :. Theory of equality, un-interpreted functions and arrays - PowerPoint PPT PresentationTRANSCRIPT
Solvers: Equality and Arrays
Lecture 4 2012
Nikolaj Bjørner Microsoft ResearchDTU Winter course January 5th 2012
PlanThe theory of Un-interpreted functions
The Theory of Arrays
Key Takeaways:
Theory of equality, un-interpreted functions and arrays
Saturation-based decision proceduresA common patternConnections with algorithms used in program analysis
Inference rule formulationDatalog formulation
A reduction approach to decision proceduresThe theory of array reduces to theory of equalities/functions
Deciding Equality
E - The theory of equalityReflexivity: t = t
Symmetry: t = s s = t
Transitivity: t = s s= u t = u
Congruence: t1= s1 .. tn =sn f(t1, …, tn) = f(s1, …, sn)
E – the (infinite) conjunction of these axioms
Congruence Closure
E-satisfiability can be decided with a simple algorithm known as congruence closure.
Congruence closure creates a finite quotient for DC(E + L).
E – Equality axiomsL – Literals: extra equalities in input
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e, a s
a b c d e s t
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e, a s
a b c d e s t
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e, a s
c d e s ta,b
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e, a s
c d e s ta,b
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e, a s
d e s ta,b,c
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e, a s
d e s ta,b,c
d,e
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e, a s
s ta,b,c
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e, a s
s ta,b,c d,e
a,b,c,s
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e, a s
td,e
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e, a s
td,ea,b,c,s
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e, a s
a,b,c,s d,e,t
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e, a s
a,b,c,s d,e,t
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e, a s
a,b,c,s d,e,t
Unsatisfiable
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e
a,b,c,s d,e,t
Model construction
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e
a,b,c,s d,e,t
Model construction|M| = {1 ,2} (universe, aka domain)
1 2
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e
a,b,c,s d,e,t
Model construction|M| = {1 ,2} (universe, aka domain)
M(a) = 1 (assignment)
1 2
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e
a,b,c,s d,e,t
Model construction|M| = {1 ,2} (universe, aka domain)
M(a) = 1 (assignment)
1 2
Alternative notation:aM = 1
Deciding Equality
a = b, b = c, d = e, b = s, d = t, a e
a,b,c,s d,e,t
Model construction|M| = {1 ,2} (universe, aka domain)
M(a) = M(b) = M(c) = M(s) = 1
M(d) = M(e) = M(t) = 2
1 2
Deciding Equality:Termination, Soundness, Completeness
Termination: easySoundness
Invariant: all constants in a “ball” are known to be equal.The “ball” merge operation is justified by:
Transitivity and Symmetry rules.Completeness
We can build a model if an inconsistency was not detected.Proof template (by contradiction):
Build a candidate model.Assume a literal was not satisfied.Find contradiction.
Deciding Equality:Termination, Soundness, Completeness
CompletenessWe can build a model if an inconsistency was not detected.Instantiating the template for our procedure:
Assume some literal c = d is not satisfied by our model.That is, M(c) ≠ M(d).This is impossible, c and d must be in the same “ball”.
c,d,…i
M(c) = M(d) = i
Deciding Equality:Termination, Soundness, Completeness
CompletenessWe can build a model if an inconsistency was not detected.Instantiating the template for our procedure:
Assume some literal c ≠ d is not satisfied by our model.That is, M(c) = M(d).Key property: we only check the disequalities after we processed all equalities.This is impossible, c and d must be in the different “balls”
c,… M(c) = i
M(d) = j
i
d,…j
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, f(a, g(d)) f(b, g(e))
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, f(a, g(d)) f(b, g(e))
First Step: “Naming” subterms
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, f(a, v1) f(b, g(e))v1 g(d)
First Step: “Naming” subterms
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, f(a, v1) f(b, g(e))v1 g(d)
First Step: “Naming” subterms
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, f(a, v1) f(b, v2)v1 g(d), v2 g(e)
First Step: “Naming” subterms
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, f(a, v1) f(b, v2)v1 g(d), v2 g(e)
First Step: “Naming” subterms
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, v3 f(b, v2)v1 g(d), v2 g(e), v3 f(a, v1)
First Step: “Naming” subterms
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, v3 f(b, v2)v1 g(d), v2 g(e), v3 f(a, v1)
First Step: “Naming” subterms
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, v3 v4
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)
First Step: “Naming” subterms
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, v3 v4
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
a,b,c,s d,e,t v1 v2 v3 v4
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, v3 v4
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
d = e implies g(d) = g(e)
a,b,c,s d,e,t v1 v2 v3 v4
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, v3 v4
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
d = e implies v1 = v2
a,b,c,s d,e,t v1 v2 v3 v4
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, v3 v4
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
d = e implies v1 = v2
a,b,c,s d,e,t v1,v2 v3 v4
We say:v1 and v2 are congruent.
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, v3 v4
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
a = b, v1 = v2 implies f(a, v1) = f(b, v2)
a,b,c,s d,e,t v1,v2 v3 v4
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, v3 v4
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
a = b, v1 = v2 implies v3 = v4
a,b,c,s d,e,t v1,v2 v3 v4
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, v3 v4
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
a = b, v1 = v2 implies v3 = v4
a,b,c,s d,e,t v1,v2 v3,v4
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, v3 v4
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
a,b,c,s d,e,t v1,v2 v3,v4
Unsatisfiable
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, a v4, v2 v3
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
a,b,c,s d,e,t v1,v2 v3,v4
Changing the problem
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, a v4, v2 v3
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
a,b,c,s d,e,t v1,v2 v3,v4
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, a v4, v2 v3
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)
Congruence Rule:x1 = y1, …, xn = yn implies f(x1, …, xn) = f(y1, …, yn)
a,b,c,s d,e,t v1,v2 v3,v4
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, a v4, v2 v3
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)
Model construction:|M| = {1 ,2 ,3 ,4}
M(a) = M(b) = M(c) = M(s) = 1
M(d) = M(e) = M(t) = 2
M(v1) = M(v2) = 3
M(v3) = M(v4) = 4
a,b,c,s d,e,t v1,v2 v3,v4
1 2 3 4
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, a v4, v2 v3
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)
Model construction:|M| = {1 ,2 ,3 ,4}
M(a) = M(b) = M(c) = M(s) = 1
M(d) = M(e) = M(t) = 2
M(v1) = M(v2) = 3
M(v3) = M(v4) = 4
a,b,c,s d,e,t v1,v2 v3,v4
1 2 3 4
Missing:Interpretation for f and g.
Deciding Equality + (uninterpreted) Functions
Building the interpretation for function symbols
M(g) is a mapping from |M| to |M|Defined as:
M(g)(i) = j if there is v g(a) s.t.M(a) = i
M(v) = j
= k, otherwise (k is an arbitrary element)Is M(g) well-defined?
Deciding Equality + (uninterpreted) Functions
Building the interpretation for function symbols
M(g) is a mapping from |M| to |M|Defined as:
M(g)(i) = j if there is v g(a) s.t.M(a) = i
M(v) = j
= k, otherwise (k is an arbitrary element)Is M(g) well-defined?
Problem: we may have v g(a) and w g(b) s.t.M(a) = M(b) = 1 and M(v) = 2 ≠ 3 = M(w)So, is M(g)(1) = 2 or M(g)(1) = 3?
Deciding Equality + (uninterpreted) Functions
Building the interpretation for function symbols
M(g) is a mapping from |M| to |M|Defined as:
M(g)(i) = j if there is v g(a) s.t.M(a) = i
M(v) = j
= k, otherwise (k is an arbitrary element)Is M(g) well-defined?
Problem: we may have v g(a) and w g(b) s.t.M(a) = M(b) = 1 and M(v) = 2 ≠ 3 = M(w)So, is M(g)(1) = 2 or M(g)(1) = 3?
This is impossible because of the congruence rule!a and b are in the same “ball”, then so are v and w
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, a v4, v2 v3
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)
Model construction:|M| = {1 ,2 ,3 ,4}
M(a) = M(b) = M(c) = M(s) = 1
M(d) = M(e) = M(t) = 2
M(v1) = M(v2) = 3
M(v3) = M(v4) = 4
a,b,c,s d,e,t v1,v2 v3,v4
1 2 3 4
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, a v4, v2 v3
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)Model construction:|M| = {1 ,2 ,3 ,4}
M(a) = M(b) = M(c) = M(s) = 1
M(d) = M(e) = M(t) = 2
M(v1) = M(v2) = 3
M(v3) = M(v4) = 4
M(g)(i) = j if there is v g(a) s.t.M(a) = i
M(v) = j
= k, otherwise
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, a v4, v2 v3
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)Model construction:|M| = {1 ,2 ,3 ,4}
M(a) = M(b) = M(c) = M(s) = 1
M(d) = M(e) = M(t) = 2
M(v1) = M(v2) = 3
M(v3) = M(v4) = 4
M(g) = {2 →3}
M(g)(i) = j if there is v g(a) s.t.M(a) = i
M(v) = j
= k, otherwise
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, a v4, v2 v3
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)Model construction:|M| = {1 ,2 ,3 ,4}
M(a) = M(b) = M(c) = M(s) = 1
M(d) = M(e) = M(t) = 2
M(v1) = M(v2) = 3
M(v3) = M(v4) = 4
M(g) = {2 →3}
M(g)(i) = j if there is v g(a) s.t.M(a) = i
M(v) = j
= k, otherwise
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, a v4, v2 v3
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)Model construction:|M| = {1 ,2 ,3 ,4}
M(a) = M(b) = M(c) = M(s) = 1
M(d) = M(e) = M(t) = 2
M(v1) = M(v2) = 3
M(v3) = M(v4) = 4
M(g) = {2 →3, else →1}
M(g)(i) = j if there is v g(a) s.t.M(a) = i
M(v) = j
= k, otherwise
Deciding Equality + (uninterpreted) Functions
a = b, b = c, d = e, b = s, d = t, a v4, v2 v3
v1 g(d), v2 g(e), v3 f(a, v1) , v4 f(b, v2)Model construction:|M| = {1 ,2 ,3 ,4}
M(a) = M(b) = M(c) = M(s) = 1
M(d) = M(e) = M(t) = 2
M(v1) = M(v2) = 3
M(v3) = M(v4) = 4
M(g) = {2 →3, else →1}M(f) = { (1 ,3) →4, else →1}
M(g)(i) = j if there is v g(a) s.t.M(a) = i
M(v) = j
= k, otherwise
Deciding Equality + (uninterpreted) Functions
What about predicates?
p(a, b), p(c, b)
Deciding Equality + (uninterpreted) Functions
What about predicates?
p(a, b), p(c, b)
fp(a, b) = T, fp (c, b) ≠ T
E-satisfiability - examplef(f(a)) = a, a f(a)
Congruence Closure Graph
Congruence Closure Graph
Congruence Closure Graph
Congruence Closure Graph
Congruence Closure Graph
Congruence Closure Graph
Conguruence Closure GraphRecall congruence rule:
Congruence:
t1= s1 .. tn =sn f(t1, …, tn) = f(s1, …, sn)
Congruence Closure Graph
Congruence Closure Graph
Congruence Closure Graph
Congruence Closure Graph
Congruence Closure Graph
Congruence Closure Graph
Congruence closure graphLet G = (V,E) be a directed graph such that for each vertex v in G, the successors (children) of v are ordered.Let C be any equivalence relation on V.The congruence closure C* of C is the finest equivalence relation on V,
that contains C : v C w then v C* w Closed: If
children(v) = v1 ..vn
children(w) = w1 ..wn Then v C* w v1 C* w1 … vn C* wn
Congruence closure graphFrom literals L to a congruence graph.
For each subterm t in L create a vertex vt
For each function symbol f create vertex vf
If t = f(t1, …, tn), let children(vt) = vf, vt1, …, vtn
From literals L to an initial equivalence CInitially C = { { v } | v V }For each equality t = s L:
Merge equivalence classes for vt and vs
Computing congruence closureFrom the definition, we can read off that Congruence
closure is the least fixed-point of the operator CongClos:
CongClos(C* )(v,w) =
v C w or let v1 .. vn = children(v)
let w1 ..wn = children(w) in CongClos(C*
)(v1, w1) .. CongClos(C*
)(vn, wn)
Computing Congruence closure
Fixed-point characterization suggests (dynamic programming) algorithm:
Maintain root vertex for each equivalence class.Maintain sig(nature) of each vertex:
sig(vf(t1,..,tn)) = root(vf ), root(vt1).. root(vtn) Initialize C* Cwhile v,w V s.t. v C* w, but sig(v) = sig(w):
C* C* with classes for v, w merged
Computing Congruence closure
A more efficient implementation of congruence closureUse union-find for maintaining rootsMaintain use (a list) for set of parent vertices.Set todo = {}def merge(v, w):
C* C* with classes for v, w merged foreach vp use(v), wp use(w):
add vp, wp to todo foreach asserted equality (v,w): merge(v,w)while some v, w todo : remove v, w from todo if v C* w, but sig(v) = sig(w) then merge(v,w)
Using congruence closureBack to the main problem.
E-satisfiability t1 = t2 t3 = t4 t5 t6
Form graph using {t1, t2, t3 , t4 , t5 , t6 }Initialize C from equalitiesCompute C* from CCheck that vt5 C* vt6
Congruence closure algorithmSoundness: C* just simulates axioms of E.
Completeness: From C* build model M.fM(v1, …, vn) = root(v),
if there is a v, such that sig(v) = fM,v1, …, vn fM(v1, …, vn) = *
otherwiseThen all axioms in E are true in M.All equalities in L are true in M.
DPLL(E)Congruence closure just checks satisfiability of conjunction of literals.
How does this fit together with Boolean search DPLL?
DPLL builds partial model M incrementallyUse M to build C*
After every Decision or Propagate, orWhen F is propositionally satisfied by M.
Check that disequalities are satisfied.
E - conflictsRecall Conflict:
Conflict M || F M || F || C if CF, M ⊨T C
A version more useful for theories:
Conflict M || F M || F || C if C M, ⊨T C
E - conflictsExample
M = fff(a) = a, g(b) = c, fffff(a)= a, a f(a) C = fff(a) = a, fffff(a)=a, a f(a)⊨E fff(a) a fffff(a) a a = f(a)
Use C as a conflict clause.
E - conflictsHow can one mine M for E-conflicts?
ConvexityThe theory E is convex.
Convexity: Let L be a set of equalities and disequalitiesIf L ⊨E s1 = t1 … sn = tn Then for some i: L ⊨E si = ti (proof: use soundess and completeness of Congruence Closure).
A consequence:To check satisfiability it suffices to check each disequality in isolation.
Inference rules, Abstract decision procdures, and Datalog Consider Datalog formulation: Rule formulation:
Eq(x,x) .Eq(x,y) :- Eq(y,x).Eq(x,y) :- Eq(x,z), Eq(z,y) .Eq(u,v) :- Eq(x,y), F(x,u), F(y,v) .
F(a,f(a)) . F(b, f(b)) . Eq(a,b) .?- Eq(f(a),f(b)) .
Congruence closure algorithm is “just” an efficient way of computing closure of Eq(_,_).
𝑥∼𝑦𝑦∼𝑥
𝑥∼𝑦 𝑦∼𝑧𝑥∼𝑧
𝑥∼𝑦𝑢≡ 𝑓 (𝑥 ) ,𝑣≡ 𝑓 ( 𝑦 )𝑢∼𝑣
𝑥∼𝑥
Arrays
Why use abstract arrays?def swap(a, i, j): tmp = a[i]; a[i] = a[j]; a[j] = tmp;
new(a)[i] = a[j]new(a)[j] = a[i]k i, k j a[k] = new(a)[k]
def swap(a, i, j): tmp = a[i]; a = write(a,i,a[j]); a= write(a,j,tmp);
def swap(a, i, j): tmp = a[i]; a1= write(a,i,a[j]); a2= write(a1,j,tmp); new(a) = a2
new(a) = let tmp = a[i] a1= write(a,i,a[j]); a2= write(a1,j,tmp); in a2
new(a) = write(write(a,i,a[j]),j,a[i])
new(a)[j] = write(write(a,i,a[j]),j,a[i])[j] = a[i]
new(a)[i] = write(write(a,i,a[j]),j,a[i])[i] = if i = j then a[i] else write(a,i,a[j])[i] =if i = j then a[i] else a[j] =a[j]
Theory of arraysFunctions: F = { read, write }Predicates: P = { = }Convention a[i] means: read(a,i)
Non-extensional arrays TA: a, i, v . write(a,i,v)[i] = va, i, j, v . i j write(a,i,v)[j] = a[j]
Extensional arrays: TEA = TA + a, b. ((i. a[i] = b[i]) a = b)
Array examples
( , , ) [ ] [ ]b write a i v i j b j a j
( , , )( , , )
[ ] [ ]
b write a i vc write a j ww b j v c i b c
Array examples( , , ) [ ] [ ]b write a i v i j b j a j
( , , ) [ ] [ ]b write a i v i j b j a j
Is valid
Is unsat
( , , ) [ ] [ ]( ( , , )[ ] [ ])b write a i v i j b j a ji j write a i v j a j
Is unsat(arrayaxiom)
( , , )[ ] [ ] ( , , )[ ] [ ]b write a i v i ja j b j write a i v j a j
Is unsat(congruence)
Array examplesIs valid
Is unsat
( , , )( , , )
[ ] [ ]
b write a i vc write a j ww b j v c i b c
( , , )( , , )
[ ] [ ]
b write a i vc write a j ww b j v c i b c
Array examplesIs unsat( , , )
( , , )[ ][ ]
b write a i vc write a j ww b jv c ib c
[ ] ( , , )[ ][ ] ( , , )[ ]
w b j write a i v jv c i write a j w i
( , , )[ ] [ ]i j write a i v j a j Array axiom
Array examplesIs unsat( , , )
( , , )[ ] ( , , )[ ][ ] ( , , )[ ]
( , , )[ ] [ ]( , , )[ ] [ ]
b write a i vc write a j ww b j write a i v jv c i write a j w ib ci j write a i v j a ji j write a j w i a i
Array examplesCase:
( , , )( , , )
[ ] ( , , )[ ][ ] ( , , )[ ]
b write a i vc write a j ww b j write a i v jv c i write a j w ib ci j
i j
Array examplesCase:( , , )
( , , )[ ] ( , , )[ ][ ] ( , , )[ ]
( , , )[ ]
b write a i vc write a j ww b j write a i v jv c i write a j w ib ci jwrite a i v i v
i j
Array axiom
Array examplesCase:
( , , )( , , )
[ ] ( , , )[ ][ ] ( , , )[ ]
( , , )[ ]
b write a i vc write a j ww b j write a i v jv c i write a j w ib ci jwrite a i v i vw v
i j
Array examplesCase:
( , , )( , , )
[ ] ( , , )[ ][ ] ( , , )[ ]
( , , )[ ]
b write a i vc write a j ww b j write a i v jv c i write a j w ib ci jwrite a i v i vw vb c
i j
Congruence
Array examples – a few steps
Case:( , , )( , , )
[ ] ( , , )[ ][ ] ( , , )[ ]
( , , )[ ] [ ]( , , )[ ] [ ]
b write a i vc write a j ww b j write a i v jv c i write a j w ib cwrite a i v j a jwrite a j w i a i
i j
Array examplesCase:
( , , )( , , )
[ ] ( , , )[ ] [ ][ ] ( , , )[ ] [ ]
b write a i vc write a j ww b j write a i v j a jv c i write a j w i a ib c
i j
Array examplesCase:
( , , )( , , )
[ ] ( , , )[ ] [ ][ ] ( , , )[ ] [ ]
( . [ ] [ ])
b write a i vc write a j ww b j write a i v j a jv c i write a j w i a ib ck b k c k b c
i j
Extensionality
Array examplesCase:
( , , )( , , )
[ ] ( , , )[ ] [ ][ ] ( , , )[ ] [ ]
( . [ ] [ ])
b write a i vc write a j ww b j write a i v j a jv c i write a j w i a ib c
k b k c k
i j
Extensionality
Array examplesCase:
( , , )( , , )
[ ] ( , , )[ ] [ ][ ] ( , , )[ ] [ ]
[ ] [ ]
b write a i vc write a j ww b j write a i v j a jv c i write a j w i a ib cb k c k
i j
Skolemize
Array examplesCase:
( , , )( , , )
[ ] ( , , )[ ] [ ][ ] ( , , )[ ] [ ]
[ ] [ ]( ( , , )[ ] [ ])( ( , , )[ ] [ ])
b write a i vc write a j ww b j write a i v j a jv c i write a j w i a ib cb k c ki k write a i v k b kj k write a j w k c k
i j
Array axiom
Array examplesCase:
( , , )( , , )
[ ] ( , , )[ ] [ ][ ] ( , , )[ ] [ ]
[ ] [ ]( ( , , )[ ] [ ])( ( , , )[ ] [ ])
b write a i vc write a j ww b j write a i v j a jv c i write a j w i a ib cb k c ki k write a i v k b kj k write a j w k c kyadayadayada
i j
Decision procedures for arraysLet L be literals over F = { read, write }
Find M such that: M ⊨TA L
Basic algorithm, reduce to E: for every sub-term read(a,i), write(b,j,v) in L
i j a = b read(write(b,j,v),i) = read(a,i)read(write(b,j,v),j) = v
Find ME, such thatME ⊨E L AssertedAxioms
Decision procedures for arraysCorrectness of basic algorithm:
ME satisfies array axioms on terms in L.To show that ME can be extended to model for arrays:
From Congurence Closure C* build model:aM = [| *d1 *r1 , *d2 *r2 , *d3 .., else vroot(a) |]Where readM(aM, *di ) = *r1 e.g., *r1 = root(read(root(a),root(i)) under C*
Model satisfies array axioms.For every write(a,i,v) the model satisfies write(a,i,v)[j] = a[j] whenever iM jM (first axiom) and also write(a,i,v)[i] = v (second axiom).vroot(a) was added to make arrays different unless they were forced to be (no extensionality)
Non-extensionalityA non-theorem
a and b need not be equal even if the array axioms hold.
( , , ) [ ]b write a i v a i v a b
Extensional arraysTo enforce:
a, b. ((i. a[i]= b[i]) a = b)
For every pair a, b in L, Add fresh constant iab
Add axiom a b a[iab] b[iab]
Arrays galoreArrays may be more than just read/write.
The constant array:v, i . const(v)[i] = v
Generalized write: a,b,c, i . a[i] = b[i] write(a,b,c)[i] = c[i] a,b,c, i . a[i] b[i] write(a,b,c)[i] = b[i]We now have sets: = const(false), T = const(true), A B = write(,A,B)[i] A B = write(T,A,B)[i]
Ranges:l,u, x . range(l,u)[x] l x u
Arrays galoreClaim: Same kind of reduction to E (and arithmetic) works
Integer ranges, require slightly morerange(l,u)[l-1], range(l,u)[u+1]range(l,u)[l], range(l,u)[u]
Is there a general principle underpinning such extensions?
Arrays galoreConsider a more general formulation. is a conjunction of:
Equalities, disequalities i, j, k . G(i,j,k) F(i,j,k)
Where G is a guard formula comparing indices:And-or formula of i j, i cClaim: We can always eliminate i =j from the guard.
Where F is a general formula with arrays, Restriction: no nested array formulas.
Example: j . if i = j then b[i] = v else b[i] = a[i]Encodes that b = write(a,i,v)
Arrays galore i, j, k . G(i,j,k) F(i,j,k)
Where G is a guard formula comparing indices:And-or formula of i j, i cClaim: We can always eliminate i =j or i = c from the guard.
i, j, k . i = j k c j c’ F(i,j,k) i, k . k c i c F(i,i,k)
Arrays galore i, j, k . G(i,j,k) F(i,j,k)
Where G is a guard formula comparing indices:And-or formula of i j, i cClaim: We can always or from the guard
i, j, k . G(i,j,k) G’(i,j,k) F(i,j,k)
i, j, k . G(i,j,k) F(i,j,k) i, j, k . G’(i,j,k) F(i,j,k)
Arrays galore i, j, k . G(i,j,k) F(i,j,k)
Where G is conjunction of i j, i c
Decision procedure:Collect all c, where a[c] or c = i Instantiate quantifiers by all combinations of such indices.Check for E – satisfiability of ground formula.
Correctness: All quantified formulas are satisfied by C* .
Arrays galore - Arithmetic i, j, k . G(i,j,k) F(i,j,k)
Where G is conjunction of i < j, i < c, i > c
Decision procedure:Collect all c, where a[c], c < i , c > i occurs in formula.For each c, also add c-1, c+1 to collection.Instantiate quantifiers by all combinations of collected indices.Check for ILA + E – satisfiability of ground formula.
Combinatory Array Logic
What else are arrays?Special combinators:
Result: Existential fragment is decidable and in NP by reduction to congruence closure using finite set of instances. ( f belongs to base theory – not arrays)
( , , ) . ( , , [ ])
( ) .
( , ) . ( [ ], [ ])f
write a i v j ite i j v a j
K v j v
map a b j f a j b j
… A different fragment:
Then:
Theory is decidable.
( ) .
( , , ) . ( [ ], [ ], [ ])
( , ) .( [ ] [ ])
.
ite
K v j v
map a b c j ite a j b j c j
map a b j a j b j
I j j
( , , ) ( ( ( ), ), ( ), )itewrite a i v map map K i I K v a
Last combinator for the road…Can I access a default array value?
( )
( ( ))( ( , )) ( ( ), ( ))
( ( , , )) ( )
f
a default
K v vmap a b f a b
write a i v a
Only sound for infinite domains
Let’s use CAL:Simple set and bag operations:
But not cardinality |A|, power-set 2A, …
min
(0)( ){ } ( , ,1){ } ( , , )( , ) [ ][ ]
( , )( , )( , )( , )
( ) ( ( ) 0)( ) ( ( ) )
Bag
Bag
KK falsea write aa write a true
mult a A A aa A A aA B map A BA B map A BA B map A BA B map A B
finite A Afinite A A false
A Basic Decision Procedure
A reduction-based approach
( )?ArraySat T
( ( ) )?Equality ArraySat T Closure
Use saturation rules to reduce arrays to the theory of un-interpreted functions
Extract models for arrays as finite graphs
Array Saturation Rules
a~b – a and b are equal in current contexta≡t – a is a name for the term t
Congruence Closure Rule
Bottlenecks Extensionality axiom is
instantiated on every pair of array variables.
Upwards propagation distributes index over all modifications of same array.
Bottlenecks and Bottleneck:
Extensionality axiom is instantiated on every pair of array variables.
Optimization: Restrict to variables asserted different, or shared.
Bottlenecks and Bottleneck: Upwards
propagation distributes index over all modifications of same array.Optimization: Only use for updates where ancestor has multiple children. Formulas from programs are well-behaved.
The effect on benchmarksThis is where it matters
Saturating for CAL
Saturating K, map,
Saturating K, map, Rules for map are similar as for store.
Optimization of has to be generalized.
Finite domains…